Reference no: EM133021386

MIS607 Cybersecurity - Laureate International Universities

Threat Model Report

Learning Outcome 1 Explore and articulate cyber trends, threats and staying safe in cyberspace, plus protecting personal and company data.

Learning Outcome 2 Analyse issues associated with organisational data networks and security to recommend practical solutions towards their resolution.

Learning Outcome 4 Evaluate and communicate relevant technical and ethical considerations related to the design, deployment and/or the uses of secure technologies within various organisational contexts.

Task Summary

The goal of assessment 2 (A2) is to identify threats/vulnerabilities in the case scenario described in the associated file, Assessment Initial Case Scenario.docx. Not all threats/vulnerabilities you "discover" are in the initial case scenario. The scenario discusses some elements of the business that are needing mitigation, but you will need to also "discover" other threats/vulnerabilities.

The word count for this assessment is 1,500 words (±10%), not counting tables or figures. Tables and figures must be captioned (labelled) and referred to by caption (note that publishers do not guarantee tables and figures to be placed the same order or location as in your article). Caution: Items without a caption may be treated as if they are not in the report.

Be careful not to use up word count discussing cybersecurity basics. This is not an exercise in summarising your class notes, and such material will not count towards marks.
The report will not be marked without an Academic Integrity Declaration (see below).

DFD Requirements
The DFD must relate to the business described in the initial case scenario. Remember, the DFD is the first step in the risk analysis, but it is not the main output of the assessment. The main output is the categorised threats, see below.

For the DFD, you need at least a context diagram and a level-0 diagram. You can include further levels if you feel they are needed to show a threat boundary, but this is not necessary. The level-0 diagram (and further level diagrams, if needed) must not break the rules for proper DFD formation. And the DFDs (excluding the context diagram) must have labelled threat boundaries.

Threat Discovery
The main output of A2 should be a set of no less than 10 threats or vulnerabilities that need mitigation in the organisation. You will discover these with the help of the DFD and the threat boundaries.

The main threat for this assessment resembles a real-world attack. You need to develop a brief, factual overview of the real-world attack (web links can count as references here since the attack might not yet be covered academically). You are required to reference suggested mitigations, or costs in the real-world attack, this will help enormously with both A2 and A3 and will be taken into consideration when marking. Note carefully that any explanation of the real-world case is based on real information/data, not speculation or simulated "discovery".

It is important to understand that you need to "discover" additional threats/vulnerabilities on the associated initial case scenario. The scenario is only an initial assessment of the organisation. Your "discovery" can be simulated, based on your simulated investigation.

Obviously, you must cover the main threats already identified in the scenario, but other threats/vulnerabilities should be "discovered" by you.

Inform the reader about what discovery techniques were used. In dot points inform the audience.....who you talked to, questions you asked - but keep this very brief...8-10 dot points max.

Imagine yourself as a consultant called in to work inside the business to discover threats.

For this assignment, business acumen and business logic in approaching threats is what is required of you.

STRIDE methodology will be used for the reports. Note carefully that the DFD itself is not the main output of the assignment. The main result of the report is a set of threats or vulnerabilities. Important points are:

• Try to map these threats/vulnerabilities as best you can against threat boundaries;
• and categorize them as best you can against STRIDE categories. The STRIDE categories are not the threats.
Do not be concerned if the threats you discover do not fit all STRIDE categories. In a full, real-world assessment with hundreds of threats, this would be the case, but with around 10 threats this will probably not be possible. Try to cover at least three.

You can make assumptions, but the report is written from the point of view of a consultant who has made "discoveries" from their investigations. In the simulation you may gather needed information from stakeholders. Assessment markers are aware that the technical information "discovered" by you might not be 100% accurate in all details. However, your discoveries should be somewhat realistic.

Report Structure & Format
The report should have the following heading structure.
• Title Page
With subject code and name, assignment title, student's name, student number, and lecturer's
name. Also include AI declaration.
• Executive Summary
This should be written after the report and should briefly summarise what you did and what you found. It should be capable of being read by management generally, even those with relatively little IS experience.
• Body of the Report
DFD
threat discovery
threat list and STRIDE categorisation
• Conclusion
Summarise major findings or recommendations that the report puts forward.
• References
Use only APA style for citing and referencing

Attachment:- Case Scenario.rar